Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to disable the schedule_rtsearch capability?

emiller42
Motivator
‎06-12-2015 07:45 AM

I would like to create a role which has the following attributes:

  • Allows both historical and realtime ad-hoc searches
  • Allows the scheduling of historical searches (for alerting and reporting)
  • Disallows the scheduling of realtime searches

This is because users have a tendency to pick the 'per-event' alerting option when creating alerts, which creates all-time, real-time searches. I want to prevent them from being able to do so, as it's very uncommon for a realtime alert to have appreciable value over a scheduled search running on a short interval.

However, the schedule_rtsearch capability is actually included in the [default] stanza of authorize.conf, meaning it is always enabled on any roles without having to inherit. Because capabilities only have one setting (enabled) I can't create a role with schedule_rtsearch=disabled to override that default.

Is there any way to disable this functionality?

Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎06-12-2015 07:50 AM

As discussed in irc:

Make your own local/authorize.conf with:

[default]
schedule_rtsearch =

View solution in original post

Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎06-12-2015 07:50 AM

As discussed in irc:

Make your own local/authorize.conf with:

[default]
schedule_rtsearch =
Reply
Solved! Jump to solution

bravon
Communicator
‎11-10-2015 05:18 AM

This doesnt answer why its enabled by default tho..

Reply
Solved! Jump to solution

emiller42
Motivator
‎06-12-2015 07:59 AM

This appears to be working as desired! Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...